A fault tolerant electronic braking system for a vehicle has a brake pedal arranged to provide an electronic signal in response to operation thereof. A number of braking nodes are coupled to the brake pedal, each node being arranged to control a brake actuator. Each brake node has a controller arranged for processing the first signal to provide a second signal for controlling the brake actuator, and for providing third signals for transmission to the other control means. The third signals are the expected second signal results of the other controllers. Each controller is arranged to compare the second signal with the third signals received from the other controllers such that errors detected between the second and third signals indicate faults in the controllers.
|
1. A fault tolerant electronic braking system for a vehicle, comprising:
a user operated input arranged to provide a first signal in response to operation thereof; and, at least three braking nodes coupled to the user operated input, each node being arranged to control at least one brake actuator, each node having control means arranged for processing the first signal to provide a second signal for controlling the at least one brake actuator, and to provide a plurality of third signals to the at least two other control means, the third signals being the second signal results of the at least two other control means; wherein each control means is arranged to compare the second signal with the third signals received from the at least two other control means such that errors detected between the second and third signals indicate faults in the at least three control means.
2. The system of
3. The system of
4. The system of
5. The system of
6. The system of
7. The system of
8. The system of
9. The system of
10. The system of
11. The system of
|
This invention relates to fault-tolerant electronic braking systems.
In recent years, automobile manufacturers have sought to replace many expensive mechanical components with electronic components. Future automotive designs contemplate the removal of even more mechanical components, particularly in respect of control linkages to the engine, wheels, etc., replacing them with `by-wire` technology, partially derived from the `fly-by-wire` technology associated with the aircraft industry.
For example, the hydraulic or mechanical braking system of an automobile may be replaced by a microprocessor controlled system, having a pedal which, upon actuation by the driver, transmits electronic signals to brake actuators located in proximity to the brakes. The brake actuators apply the brakes in dependence upon the electronic signals.
In safety critical applications, such as the brake system described above, the system must be fault-tolerant, such that if a fault should occur, at least some functionality of the system will continue. Known arrangements to provide fault-tolerance include redundant systems having two or more microprocessors which operate independently of each other and cross-check each other to detect faults.
A problem with this arrangement is that the larger the number of processors, the more cost is added to the system, and the fewer the number of processors, the greater the chances of all processors in the system developing a fault.
This invention seeks to provide a fault-tolerant electronic braking system which mitigates the above mentioned disadvantages.
According to the present invention there is provided a fault-tolerant electronic braking system for a vehicle, comprising: a user operated input arranged to provide a first signal in response to operation thereof; and, at least three braking nodes coupled to the user operated input, each node being arranged to control at least one brake actuator, each node having control means arranged for processing the first signal to provide a second signal for controlling the at least one brake actuator, and to provide a plurality of third signals to the at least two other control means, the third signals being expected second signal results of the at least two other control means; wherein each control means is arranged to compare the second signal with the third signals received from the at least two other control means such that errors detected between the second and third signals indicate faults in the at least three control means.
Preferably upon detection of a fault, each control means uses a voting scheme to determine which of the second and third signals is to be used as a fourth signal to control each of the brake actuators.
Each control means is also preferably arranged to transmit the fourth signal to the at least two other control means, in order to verify whether the voting scheme has been used correctly.
The at least three brake nodes are preferably distributed in mutually remote locations the vehicle. Preferably the first signal is adapted such that it is transmitted to the at least three brake nodes in a synchronous manner.
The first signal is preferably re-transmitted by each of the control means, for further fault detection. Preferably the at least three brake nodes comprise four brake nodes, each arranged to control one of four brake actuators.
In this way a fault-tolerant electronic braking system is provided which is cost effective, with improved fault-tolerance and enhanced fault-detection.
An exemplary embodiment of the invention will now be described with reference to the single FIGURE drawing which shows a preferred embodiment of a fault-tolerant electronic braking system in accordance with the invention.
Referring to the single FIGURE drawing, there is shown a fault-tolerant electronic braking system 5 for a vehicle (not shown), including first, second, third, and fourth wheel nodes having electronic control units (ECUs) 10, 20, 30 and 40, which are distributed in mutually remote locations of the vehicle. Each of the first, second, third, and fourth ECUs 10, 20, 30 and 40, are coupled to associated first, second, third and fourth brake actuators 15, 25, 34, 45 respectively.
The first, second, third, and fourth ECUs 10, 20, 30 and 40 respectively are also each coupled to first and second buses 7 and 8 respectively. The brake pedal unit 50 (shown as Pedal) is also connected to the first and second buses 7 and 8 respectively. The first and second buses 7 and 8 respectively are substantially identical and are both arranged to provide synchronous signals according to a Time Division Multiple Access scheme (TDMA) or similar.
High level functions of current braking systems may be integrated into the system 5 via a (high level) ECU 60 attached to the buses 7 and 8, or by a gateway to an ECU (not shown).
The brake pedal unit 50 has a transducer (not shown) and is arranged to provide first electronic signals to the first and second buses 7 and 8 respectively in response to a conventional force applied to a brake pedal (not shown) of the unit 50. The brake pedal unit 50 may be arranged to pre-process the signals.
Each of the first, second, third, and fourth ECUs 10, 20, 30, 40, can operate independently from the other ECUs if required, and are able to provide a processed result signal to the associated brake actuator 15, 25, 35 or 45 in response to the first signals received from the brake pedal unit 50. In this way a basic braking function is achieved, which is the minimum required for safe operation, not necessarily including higher level functions such as vehicle stability management or traction control. The provision of first and second buses 7 and 8 provides fault-tolerance in the case of a problem occurring therein.
In addition, each of the first, second, third, and fourth 10, 20, 30, 40, ECUs, performs a similar algorithm using the same first signals received from the brake pedal unit 50, and provides the first signals and the result signals to the other ECU's. In this way each of the first, second, third, and fourth ECUs 10, 20, 30, 40, can detect incorrect operation by comparing its received first signals and result signals with those of the other ECUs.
As four ECUs are available to check data against, it is possible to not only detect that there is a problem somewhere in the system 5, but also to identify the faulty ECU. A faulty ECU can therefore be identified, either by itself, or by the majority of the ECUs in the system 5 via a voting procedure, whereby the ECU having the most different results compared to the other ECUs is considered to be faulty.
After a fault has been identified, appropriate action can be taken, such as logging the fault, running diagnostics, or resetting or disabling the node. If an ECU is disabled due to a fault, the system 5 can be arranged such that the main braking function will be re-distributed across the operating ECUs.
As each ECU checks its operation against the other ECUs, faults can be detected that may be undetectable by using a simpler self-test type of checking in isolation. For example, an ECU may exhibit a fault where it decodes the received signals from the brake pedal unit 50 incorrectly, but the decoded value is still within the allowed range. The ECU would pass a self-test, and act on the faulty data if no other tests were performed, but with the described checking against other ECUs, the incorrect data would be detected.
As each ECU regularly re-transmits their received signals, the system 5 is able to survive faults that would otherwise cause it to be partially disabled.
For example, if the first ECU 10 cannot access the electronic signals from the brake pedal unit 50 directly due to a communications fault, it can use the electronic signals passed via the second, third or fourth ECUs 20, 30 and 40 respectively.
An advantage gained from this layout is that identical signals from the brake pedal unit 50 is available to all parts of the system 5 at the same time. This simplifies the error-detection task, as when correctly operating, all ECUs can perform identical operations on identical signals, and any differences indicate a fault.
It will be appreciated that alternative embodiments to the one described above are possible. For example, a single rear brake ECU could be used to replace the third and fourth ECUs 30 and 40, whereby the single rear brake ECU would be coupled to the third and fourth brake actuators 35 and 45 respectively.
Jordan, Mark John, Maiolani, Mark, Both, Andreas
Patent | Priority | Assignee | Title |
10660087, | Oct 24 2003 | Sony Corporation | Radio communication system, radio communication apparatus, radio communication method, and computer program |
6984001, | Sep 29 2003 | HALDEX BRAKE PRODUCTS AB, A SWEDEN CORPORATION | Power supply network for brake system |
7184864, | Apr 19 2004 | Haldex Brake Products Ltd. | Vehicle system control unit with auxiliary control capabilities |
7328092, | Sep 04 2002 | SCHAEFFLER TECHNOLOGIES AG & CO KG | Method and device for monitoring brake signals in a vehicle |
7350879, | Sep 29 2003 | HALDEX BRAKE PRODUCTS AB | Control network for brake system |
7359786, | Sep 29 2003 | HALDEX BRAKE PRODUCTS AB | Control and power supply network for vehicle braking system |
7857400, | Apr 10 2003 | Robert Bosch GmbH | Electric, decentralised brake system in a vehicle |
8532840, | Apr 06 2007 | RENAULT S A S | Method for diagnosing brake pedal contactors |
Patent | Priority | Assignee | Title |
4629257, | May 17 1984 | Societe Anonyme D.B.A. | Braking corrector |
5810454, | Jun 10 1995 | Continental Aktiengesellschaft | Electrically controllable brake system |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
May 04 2001 | BOTH, ANDREAS | Motorola, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 011973 | /0054 | |
May 09 2001 | MAIOLANI, MARK | Motorola, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 011973 | /0054 | |
May 21 2001 | JORDAN, MARK JOHN | Motorola, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 011973 | /0054 | |
Jul 06 2001 | Motorola, Inc. | (assignment on the face of the patent) | / | |||
Apr 04 2004 | Motorola, Inc | Freescale Semiconductor, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 015698 | /0657 | |
Dec 01 2006 | FREESCALE ACQUISITION CORPORATION | CITIBANK, N A AS COLLATERAL AGENT | SECURITY AGREEMENT | 018855 | /0129 | |
Dec 01 2006 | FREESCALE HOLDINGS BERMUDA III, LTD | CITIBANK, N A AS COLLATERAL AGENT | SECURITY AGREEMENT | 018855 | /0129 | |
Dec 01 2006 | FREESCALE ACQUISITION HOLDINGS CORP | CITIBANK, N A AS COLLATERAL AGENT | SECURITY AGREEMENT | 018855 | /0129 | |
Dec 01 2006 | Freescale Semiconductor, Inc | CITIBANK, N A AS COLLATERAL AGENT | SECURITY AGREEMENT | 018855 | /0129 | |
Apr 13 2010 | Freescale Semiconductor, Inc | CITIBANK, N A , AS COLLATERAL AGENT | SECURITY AGREEMENT | 024397 | /0001 | |
May 21 2013 | Freescale Semiconductor, Inc | CITIBANK, N A , AS NOTES COLLATERAL AGENT | SECURITY AGREEMENT | 030633 | /0424 | |
Nov 01 2013 | Freescale Semiconductor, Inc | CITIBANK, N A , AS NOTES COLLATERAL AGENT | SECURITY AGREEMENT | 031591 | /0266 | |
Dec 07 2015 | CITIBANK, N A | MORGAN STANLEY SENIOR FUNDING, INC | ASSIGNMENT AND ASSUMPTION OF SECURITY INTEREST IN PATENTS | 037486 | /0517 | |
Dec 07 2015 | CITIBANK, N A | MORGAN STANLEY SENIOR FUNDING, INC | CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENTS 8108266 AND 8062324 AND REPLACE THEM WITH 6108266 AND 8060324 PREVIOUSLY RECORDED ON REEL 037518 FRAME 0292 ASSIGNOR S HEREBY CONFIRMS THE ASSIGNMENT AND ASSUMPTION OF SECURITY INTEREST IN PATENTS | 041703 | /0536 | |
Dec 07 2015 | CITIBANK, N A | MORGAN STANLEY SENIOR FUNDING, INC | CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 11759915 AND REPLACE IT WITH APPLICATION 11759935 PREVIOUSLY RECORDED ON REEL 037486 FRAME 0517 ASSIGNOR S HEREBY CONFIRMS THE ASSIGNMENT AND ASSUMPTION OF SECURITY INTEREST IN PATENTS | 053547 | /0421 | |
Dec 07 2015 | CITIBANK, N A | MORGAN STANLEY SENIOR FUNDING, INC | CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 11759915 AND REPLACE IT WITH APPLICATION 11759935 PREVIOUSLY RECORDED ON REEL 037486 FRAME 0517 ASSIGNOR S HEREBY CONFIRMS THE ASSIGNMENT AND ASSUMPTION OF SECURITY INTEREST IN PATENTS | 053547 | /0421 | |
Dec 07 2015 | CITIBANK, N A , AS COLLATERAL AGENT | Freescale Semiconductor, Inc | PATENT RELEASE | 037354 | /0225 | |
May 25 2016 | Freescale Semiconductor, Inc | MORGAN STANLEY SENIOR FUNDING, INC | SUPPLEMENT TO THE SECURITY AGREEMENT | 039138 | /0001 | |
Jun 22 2016 | MORGAN STANLEY SENIOR FUNDING, INC | NXP B V | RELEASE BY SECURED PARTY SEE DOCUMENT FOR DETAILS | 040928 | /0001 | |
Jun 22 2016 | MORGAN STANLEY SENIOR FUNDING, INC | NXP B V | CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 11759915 AND REPLACE IT WITH APPLICATION 11759935 PREVIOUSLY RECORDED ON REEL 040928 FRAME 0001 ASSIGNOR S HEREBY CONFIRMS THE RELEASE OF SECURITY INTEREST | 052915 | /0001 | |
Jun 22 2016 | MORGAN STANLEY SENIOR FUNDING, INC | NXP B V | CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 11759915 AND REPLACE IT WITH APPLICATION 11759935 PREVIOUSLY RECORDED ON REEL 040928 FRAME 0001 ASSIGNOR S HEREBY CONFIRMS THE RELEASE OF SECURITY INTEREST | 052915 | /0001 | |
Sep 12 2016 | MORGAN STANLEY SENIOR FUNDING, INC | NXP, B V , F K A FREESCALE SEMICONDUCTOR, INC | RELEASE BY SECURED PARTY SEE DOCUMENT FOR DETAILS | 040925 | /0001 | |
Sep 12 2016 | MORGAN STANLEY SENIOR FUNDING, INC | NXP, B V F K A FREESCALE SEMICONDUCTOR, INC | CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 11759915 AND REPLACE IT WITH APPLICATION 11759935 PREVIOUSLY RECORDED ON REEL 040925 FRAME 0001 ASSIGNOR S HEREBY CONFIRMS THE RELEASE OF SECURITY INTEREST | 052917 | /0001 | |
Sep 12 2016 | MORGAN STANLEY SENIOR FUNDING, INC | NXP, B V F K A FREESCALE SEMICONDUCTOR, INC | CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE APPLICATION 11759915 AND REPLACE IT WITH APPLICATION 11759935 PREVIOUSLY RECORDED ON REEL 040925 FRAME 0001 ASSIGNOR S HEREBY CONFIRMS THE RELEASE OF SECURITY INTEREST | 052917 | /0001 | |
Nov 07 2016 | Freescale Semiconductor, Inc | NXP USA, INC | CORRECTIVE ASSIGNMENT TO CORRECT THE NATURE OF CONVEYANCE PREVIOUSLY RECORDED AT REEL: 040652 FRAME: 0241 ASSIGNOR S HEREBY CONFIRMS THE MERGER AND CHANGE OF NAME | 041260 | /0850 | |
Nov 07 2016 | Freescale Semiconductor, Inc | NXP USA, INC | MERGER SEE DOCUMENT FOR DETAILS | 040652 | /0241 | |
Feb 17 2019 | MORGAN STANLEY SENIOR FUNDING, INC | SHENZHEN XINGUODU TECHNOLOGY CO , LTD | CORRECTIVE ASSIGNMENT TO CORRECT THE TO CORRECT THE APPLICATION NO FROM 13,883,290 TO 13,833,290 PREVIOUSLY RECORDED ON REEL 041703 FRAME 0536 ASSIGNOR S HEREBY CONFIRMS THE THE ASSIGNMENT AND ASSUMPTION OF SECURITY INTEREST IN PATENTS | 048734 | /0001 | |
Feb 17 2019 | MORGAN STANLEY SENIOR FUNDING, INC | SHENZHEN XINGUODU TECHNOLOGY CO , LTD | CORRECTIVE ASSIGNMENT TO CORRECT THE TO CORRECT THE APPLICATION NO FROM 13,883,290 TO 13,833,290 PREVIOUSLY RECORDED ON REEL 041703 FRAME 0536 ASSIGNOR S HEREBY CONFIRMS THE THE ASSIGNMENT AND ASSUMPTION OF SECURITY INTEREST IN PATENTS | 048734 | /0001 | |
Sep 03 2019 | MORGAN STANLEY SENIOR FUNDING, INC | NXP B V | RELEASE BY SECURED PARTY SEE DOCUMENT FOR DETAILS | 050744 | /0097 |
Date | Maintenance Fee Events |
Sep 26 2006 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Sep 22 2010 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Oct 01 2014 | M1553: Payment of Maintenance Fee, 12th Year, Large Entity. |
Date | Maintenance Schedule |
Apr 01 2006 | 4 years fee payment window open |
Oct 01 2006 | 6 months grace period start (w surcharge) |
Apr 01 2007 | patent expiry (for year 4) |
Apr 01 2009 | 2 years to revive unintentionally abandoned end. (for year 4) |
Apr 01 2010 | 8 years fee payment window open |
Oct 01 2010 | 6 months grace period start (w surcharge) |
Apr 01 2011 | patent expiry (for year 8) |
Apr 01 2013 | 2 years to revive unintentionally abandoned end. (for year 8) |
Apr 01 2014 | 12 years fee payment window open |
Oct 01 2014 | 6 months grace period start (w surcharge) |
Apr 01 2015 | patent expiry (for year 12) |
Apr 01 2017 | 2 years to revive unintentionally abandoned end. (for year 12) |